diff --git a/sigma/data/mitre_attack.py b/sigma/data/mitre_attack.py index d51d9511..73d57b64 100644 --- a/sigma/data/mitre_attack.py +++ b/sigma/data/mitre_attack.py @@ -1,6 +1,6 @@ from typing import Dict, List -mitre_attack_version: str = "15.1" +mitre_attack_version: str = "16.1" mitre_attack_tactics: Dict[str, str] = { "TA0001": "initial-access", "TA0002": "execution", @@ -21,7 +21,7 @@ "T1001": "Data Obfuscation", "T1001.001": "Junk Data", "T1001.002": "Steganography", - "T1001.003": "Protocol Impersonation", + "T1001.003": "Protocol or Service Impersonation", "T1003": "OS Credential Dumping", "T1003.001": "LSASS Memory", "T1003.002": "Security Account Manager", @@ -70,6 +70,7 @@ "T1027.011": "Fileless Storage", "T1027.012": "LNK Icon Smuggling", "T1027.013": "Encrypted/Encoded File", + "T1027.014": "Polymorphic Code", "T1029": "Scheduled Transfer", "T1030": "Data Transfer Size Limits", "T1033": "System Owner/User Discovery", @@ -83,6 +84,7 @@ "T1036.007": "Double File Extension", "T1036.008": "Masquerade File Type", "T1036.009": "Break Process Trees", + "T1036.010": "Masquerade Account Name", "T1037": "Boot or Logon Initialization Scripts", "T1037.001": "Logon Script (Windows)", "T1037.002": "Login Hook", @@ -137,6 +139,7 @@ "T1059.008": "Network Device CLI", "T1059.009": "Cloud API", "T1059.010": "AutoHotKey & AutoIT", + "T1059.011": "Lua", "T1068": "Exploitation for Privilege Escalation", "T1069": "Permission Groups Discovery", "T1069.001": "Local Groups", @@ -152,11 +155,13 @@ "T1070.007": "Clear Network Connection History and Configurations", "T1070.008": "Clear Mailbox Data", "T1070.009": "Clear Persistence", + "T1070.010": "Relocate Malware", "T1071": "Application Layer Protocol", "T1071.001": "Web Protocols", "T1071.002": "File Transfer Protocols", "T1071.003": "Mail Protocols", "T1071.004": "DNS", + "T1071.005": "Publish/Subscribe Protocols", "T1072": "Software Deployment Tools", "T1074": "Data Staged", "T1074.001": "Local Data Staging", @@ -189,6 +194,7 @@ "T1098.004": "SSH Authorized Keys", "T1098.005": "Device Registration", "T1098.006": "Additional Container Cluster Roles", + "T1098.007": "Additional Local or Domain Groups", "T1102": "Web Service", "T1102.001": "Dead Drop Resolver", "T1102.002": "Bidirectional Communication", @@ -216,6 +222,7 @@ "T1125": "Video Capture", "T1127": "Trusted Developer Utilities Proxy Execution", "T1127.001": "MSBuild", + "T1127.002": "ClickOnce", "T1129": "Shared Modules", "T1132": "Data Encoding", "T1132.001": "Standard Encoding", @@ -270,6 +277,8 @@ "T1213.001": "Confluence", "T1213.002": "Sharepoint", "T1213.003": "Code Repositories", + "T1213.004": "Customer Relationship Management Software", + "T1213.005": "Messaging Applications", "T1216": "System Script Proxy Execution", "T1216.001": "PubPrn", "T1216.002": "SyncAppvPublishingServer", @@ -297,11 +306,13 @@ "T1222.002": "Linux and Mac File and Directory Permissions Modification", "T1480": "Execution Guardrails", "T1480.001": "Environmental Keying", + "T1480.002": "Mutual Exclusion", "T1482": "Domain Trust Discovery", "T1484": "Domain or Tenant Policy Modification", "T1484.001": "Group Policy Modification", "T1484.002": "Trust Modification", "T1485": "Data Destruction", + "T1485.001": "Lifecycle-Triggered Deletion", "T1486": "Data Encrypted for Impact", "T1489": "Service Stop", "T1490": "Inhibit System Recovery", @@ -310,6 +321,10 @@ "T1491.002": "External Defacement", "T1495": "Firmware Corruption", "T1496": "Resource Hijacking", + "T1496.001": "Compute Hijacking", + "T1496.002": "Bandwidth Hijacking", + "T1496.003": "SMS Pumping", + "T1496.004": "Cloud Service Hijacking", "T1497": "Virtualization/Sandbox Evasion", "T1497.001": "System Checks", "T1497.002": "User Activity Based Checks", @@ -370,6 +385,7 @@ "T1546.014": "Emond", "T1546.015": "Component Object Model Hijacking", "T1546.016": "Installer Packages", + "T1546.017": "Udev Rules", "T1547": "Boot or Logon Autostart Execution", "T1547.001": "Registry Run Keys / Startup Folder", "T1547.002": "Authentication Package", @@ -435,11 +451,13 @@ "T1557.001": "LLMNR/NBT-NS Poisoning and SMB Relay", "T1557.002": "ARP Cache Poisoning", "T1557.003": "DHCP Spoofing", + "T1557.004": "Evil Twin", "T1558": "Steal or Forge Kerberos Tickets", "T1558.001": "Golden Ticket", "T1558.002": "Silver Ticket", "T1558.003": "Kerberoasting", "T1558.004": "AS-REP Roasting", + "T1558.005": "Ccache Files", "T1559": "Inter-Process Communication", "T1559.001": "Component Object Model", "T1559.002": "Dynamic Data Exchange", @@ -655,6 +673,7 @@ "T1657": "Financial Theft", "T1659": "Content Injection", "T1665": "Hide Infrastructure", + "T1666": "Modify Cloud Resource Hierarchy", } mitre_attack_techniques_tactics_mapping: Dict[str, List[str]] = { "T1001": ["command-and-control"], @@ -709,6 +728,7 @@ "T1027.011": ["defense-evasion"], "T1027.012": ["defense-evasion"], "T1027.013": ["defense-evasion"], + "T1027.014": ["defense-evasion"], "T1029": ["exfiltration"], "T1030": ["exfiltration"], "T1033": ["discovery"], @@ -722,6 +742,7 @@ "T1036.007": ["defense-evasion"], "T1036.008": ["defense-evasion"], "T1036.009": ["defense-evasion"], + "T1036.010": ["defense-evasion"], "T1037": ["persistence", "privilege-escalation"], "T1037.001": ["persistence", "privilege-escalation"], "T1037.002": ["persistence", "privilege-escalation"], @@ -776,6 +797,7 @@ "T1059.008": ["execution"], "T1059.009": ["execution"], "T1059.010": ["execution"], + "T1059.011": ["execution"], "T1068": ["privilege-escalation"], "T1069": ["discovery"], "T1069.001": ["discovery"], @@ -791,11 +813,13 @@ "T1070.007": ["defense-evasion"], "T1070.008": ["defense-evasion"], "T1070.009": ["defense-evasion"], + "T1070.010": ["defense-evasion"], "T1071": ["command-and-control"], "T1071.001": ["command-and-control"], "T1071.002": ["command-and-control"], "T1071.003": ["command-and-control"], "T1071.004": ["command-and-control"], + "T1071.005": ["command-and-control"], "T1072": ["execution", "lateral-movement"], "T1074": ["collection"], "T1074.001": ["collection"], @@ -828,6 +852,7 @@ "T1098.004": ["persistence", "privilege-escalation"], "T1098.005": ["persistence", "privilege-escalation"], "T1098.006": ["persistence", "privilege-escalation"], + "T1098.007": ["persistence", "privilege-escalation"], "T1102": ["command-and-control"], "T1102.001": ["command-and-control"], "T1102.002": ["command-and-control"], @@ -855,6 +880,7 @@ "T1125": ["collection"], "T1127": ["defense-evasion"], "T1127.001": ["defense-evasion"], + "T1127.002": ["defense-evasion"], "T1129": ["execution"], "T1132": ["command-and-control"], "T1132.001": ["command-and-control"], @@ -909,6 +935,8 @@ "T1213.001": ["collection"], "T1213.002": ["collection"], "T1213.003": ["collection"], + "T1213.004": ["collection"], + "T1213.005": ["collection"], "T1216": ["defense-evasion"], "T1216.001": ["defense-evasion"], "T1216.002": ["defense-evasion"], @@ -936,11 +964,13 @@ "T1222.002": ["defense-evasion"], "T1480": ["defense-evasion"], "T1480.001": ["defense-evasion"], + "T1480.002": ["defense-evasion"], "T1482": ["discovery"], "T1484": ["defense-evasion", "privilege-escalation"], "T1484.001": ["defense-evasion", "privilege-escalation"], "T1484.002": ["defense-evasion", "privilege-escalation"], "T1485": ["impact"], + "T1485.001": ["impact"], "T1486": ["impact"], "T1489": ["impact"], "T1490": ["impact"], @@ -949,6 +979,10 @@ "T1491.002": ["impact"], "T1495": ["impact"], "T1496": ["impact"], + "T1496.001": ["impact"], + "T1496.002": ["impact"], + "T1496.003": ["impact"], + "T1496.004": ["impact"], "T1497": ["defense-evasion", "discovery"], "T1497.001": ["defense-evasion", "discovery"], "T1497.002": ["defense-evasion", "discovery"], @@ -1009,6 +1043,7 @@ "T1546.014": ["privilege-escalation", "persistence"], "T1546.015": ["privilege-escalation", "persistence"], "T1546.016": ["privilege-escalation", "persistence"], + "T1546.017": ["persistence", "privilege-escalation"], "T1547": ["persistence", "privilege-escalation"], "T1547.001": ["persistence", "privilege-escalation"], "T1547.002": ["persistence", "privilege-escalation"], @@ -1074,11 +1109,13 @@ "T1557.001": ["credential-access", "collection"], "T1557.002": ["credential-access", "collection"], "T1557.003": ["credential-access", "collection"], + "T1557.004": ["credential-access", "collection"], "T1558": ["credential-access"], "T1558.001": ["credential-access"], "T1558.002": ["credential-access"], "T1558.003": ["credential-access"], "T1558.004": ["credential-access"], + "T1558.005": ["credential-access"], "T1559": ["execution"], "T1559.001": ["execution"], "T1559.002": ["execution"], @@ -1294,6 +1331,7 @@ "T1657": ["impact"], "T1659": ["initial-access", "command-and-control"], "T1665": ["command-and-control"], + "T1666": ["defense-evasion"], } mitre_attack_intrusion_sets: Dict[str, str] = { "G0001": "Axiom", @@ -1445,6 +1483,17 @@ "G1024": "Akira", "G1026": "Malteiro", "G1028": "APT-C-23", + "G1030": "Agrius", + "G1031": "Saint Bear", + "G1032": "INC Ransom", + "G1033": "Star Blizzard", + "G1034": "Daggerfly", + "G1035": "Winter Vivern", + "G1036": "Moonstone Sleet", + "G1037": "TA577", + "G1038": "TA578", + "G1039": "RedCurl", + "G1040": "Play", } mitre_attack_software: Dict[str, str] = { "S0001": "Trojan.Mebromi", @@ -2031,6 +2080,7 @@ "S0697": "HermeticWiper", "S0698": "HermeticWizard", "S0699": "Mythic", + "S1010": "VPNFilter", "S1011": "Tarrask", "S1012": "PowerLess", "S1013": "ZxxZ", @@ -2125,4 +2175,36 @@ "S1124": "SocGholish", "S1125": "AcidRain", "S1129": "Akira", + "S1130": "Raspberry Robin", + "S1131": "NPPSPY", + "S1132": "IPsec Helper", + "S1133": "Apostle", + "S1134": "DEADWOOD", + "S1135": "MultiLayer Wiper", + "S1136": "BFG Agonizer", + "S1137": "Moneybird", + "S1138": "Gootloader", + "S1139": "INC Ransomware", + "S1140": "Spica", + "S1141": "LunarWeb", + "S1142": "LunarMail", + "S1143": "LunarLoader", + "S1144": "FRP", + "S1145": "Pikabot", + "S1146": "MgBot", + "S1147": "Nightdoor", + "S1148": "Raccoon Stealer", + "S1149": "CHIMNEYSWEEP", + "S1150": "ROADSWEEP", + "S1151": "ZeroCleare", + "S1152": "IMAPLoader", + "S1153": "Cuckoo Stealer", + "S1154": "VersaMem", + "S1155": "Covenant", + "S1156": "Manjusaka", + "S1158": "DUSTPAN", + "S1159": "DUSTTRAP", + "S1160": "Latrodectus", + "S1161": "BPFDoor", + "S1162": "Playcrypt", }